Exim still carries a large share of the internet’s email, so an unauthenticated remote code execution bug in it deserves attention. CVE-2026-45185 is exactly that: a use-after-free affecting versions 4.97 through 4.99.2, fixed in Exim 4.99.3, released on 12 May 2026.
What the vulnerability is
The flaw lives in the TLS connection teardown while Exim processes chunked SMTP traffic via BDAT (the CHUNKING extension). During that shutdown Exim frees a TLS transfer buffer but keeps stale callback references that still point at the freed memory. When those references are used afterwards, data ends up written into the freed region. From there an attacker can work toward controlling execution flow, which is why the bug yields remote code execution.
What makes it serious is the combination involved: no authentication is required. An attacker who can speak SMTP to the server and steer it down the BDAT path followed by TLS shutdown has the raw material to attempt exploitation.
Who is affected
Not every Exim install is exposed. Three conditions have to line up for the flaw to be exploitable:
- The binary is compiled against GnuTLS (OpenSSL-based builds are not affected).
- The server advertises STARTTLS.
- The server advertises CHUNKING.
This matters because several distributions package Exim against GnuTLS. Debian and Ubuntu, for example, ship affected builds, and both were notified on 8 May 2026 to prepare patches. If you run an Exim MTA, the first step is to check which TLS library it was built against and which extensions it advertises in the SMTP greeting.
Severity
This is an unauthenticated, remote RCE, which puts it at the top of the risk scale. An attacker who pulls it off could run commands on the mail server, read the data and messages Exim handles, and use that foothold to move into the rest of the internal network. At disclosure there was no known active exploitation and no working proof-of-concept had been released, though the path to building one was discussed. That gap without a public exploit is not a reason to delay patching.
The timeline moved quickly. Federico Kirschbaum, a researcher at XBOW, reported it on 1 May; the maintainers acknowledged it on 5 May; distributions were notified on 8 May; and the fix landed with Exim 4.99.3 on 12 May 2026.
Mitigation
The direct route is to update to Exim 4.99.3 or later. On Debian and Ubuntu, install the patched version from the package manager (apt update && apt upgrade) and restart the service. If you genuinely cannot patch right away, shrinking the attack surface helps: disabling CHUNKING removes one of the three required conditions, and reviewing whether you really need the GnuTLS build over an OpenSSL one is a reasonable medium-term move. None of these replace applying the fixed release.
If you want the technical pattern behind this class of bug, we covered another use-after-free in the kernel TLS stack in CVE-2026-23240: use-after-free in Linux kernel TLS.